Missing Zero-Address Check in `MErc20DelegateMadFixer.sweepAll`
Summary
The MErc20DelegateMadFixer contract contains a critical vulnerability due to the absence of a zero-address check for the sweeper parameter in the sweepAll function. This vulnerability allows the admin to sweep all underlying tokens by providing a zero address as the sweeper argument, potentially leading to loss of funds.
Vulnerability Details
The vulnerable function sweepAll in the MErc20DelegateMadFixer contract allows any address to be designated as the sweeper without any validation checks. Consequently, if the zero address (0x0000000000000000000000000000000000000000) is provided as the sweeper, the function will still execute, enabling the admin to transfer all underlying tokens to the zero address.
Impact
The impact of this vulnerability could be severe. The admin can drain the entire balance of underlying tokens held by the contract, resulting in a loss of funds for the contract owner and users who have deposited their assets into the contract.
Tools Used
Manual Review
Recommendations
To mitigate the vulnerability, it is recommended to add a zero-address check in the sweepAll function before executing the token transfer. This check should ensure that the sweeper address provided is not the zero address.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.